创建会话无状态用法 [英] create-session stateless usage
问题描述
我希望更改为create-session="stateless"可以在我的Web应用程序中获得无状态的Spring安全性,但事实并非如此.
I was hoping that changing into create-session="stateless" would be the end of it to achieve stateless spring security in my webapp, but it is not so.
通过这种更改,spring security似乎无法正常工作,因为(我的假设)spring security在会话中不存储任何内容,并且无法对受保护的Web请求进行身份验证.
With that change, the spring security seems to be not working, since (my assumption) spring security doesnt store anything in the session, and cannot do authentication to secured web requests.
我如何使用此无状态功能?
对于如何为无状态Web应用程序实现无状态Spring安全性,我似乎还找不到任何相关示例.
I cannot seem to find any relevant examples yet on how to achieve stateless spring security for a stateless webapp.
谢谢!
推荐答案
我有一个基于Spring的web应用程序,该应用程序具有完全无状态的安全性,使它像这样工作的唯一方法是完全禁用会话创建(使用<security:http-basic />之类的元素放入您的<security:http>元素内.
I have a Spring-based webapp which has fully stateless security, and the only way to make it work like that is to disable session creation completely (with create-session="never"). That forces re-authentication with each request, so you'll be wanting to also configure the webapp to use HTTP Basic Auth or Digest Auth (over HTTPS, of course) as those don't require a particularly complex negotiation (by contrast, form-based login and OAuth both require a session because they have a much more complicated process for establishing the authentication context). That means you'll want to put an element like <security:http-basic /> inside your <security:http> element.
(这样做的好处是,它使极其简单的客户端库成为可能,因为它们不必执行cookie/会话管理.代价是一些处理开销-建立用户参与的角色集则必须针对每个请求重新计算-以及您可以使用哪种身份验证机制的一些限制.)
(The advantage of doing it this way is that it enables extremely simple client libraries as they don't have to do cookie/session management. The cost is some processing overhead — the establishment of what set of roles the user is participating as will have to be recomputed on each request — and some limitations on which authentication mechanisms you can use.)
这篇关于创建会话无状态用法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
